b"         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       Information Security Series:\n       Security Practices\n\n       Clean Air Markets Division\n       Business System\n\n       Report No. 2006-P-00024   \n\n\n       May 4, 2006 \n\n\x0cReport Contributors:      Rudolph M. Brevard\n                          Charles Dade\n                          Neven Morcos\n                          Jefferson Gilkeson\n                          Scott Sammons\n\n\n\n\nAbbreviations\n\nASSERT       Automated Security Self-Evaluation and Remediation Tracking\nC&A          Certification and Accreditation\nCAMDBS       Clean Air Markets Division Business System\nEPA          U.S. Environmental Protection Agency\nFISMA        Federal Information Security Management Act\nNCC          National Computer Center\nOAR          Office of Air and Radiation\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nPOA&M        Plan of Action and Milestone\nRTP          Research Triangle Park\n\x0c                       U.S. Environmental Protection Agency                                                2006-P-00024\n\n                       Office of Inspector General                                                           May 4, 2006\n\n\n\n\n\n                       At a Glance\n\n                                                                          Catalyst for Improving the Environment\n\nWhy We Did This Review           Information Security Series: Security Practices\nAs part of our annual audit of\n                                 Clean Air Markets Division Business System\nthe Environmental Protection\nAgency\xe2\x80\x99s compliance with          What We Found\nthe Federal Information\nSecurity Management Act          The Office of Air and Radiation (OAR) had substantially complied with many of the\n(FISMA), we reviewed the         information security controls tested. In this regard, OAR developed and tested a\nsecurity practices for a         contingency plan for the Clean Air Markets Division Business System (CAMDBS)\nsample of key Agency             and personnel with significant security responsibility completed the Agency\xe2\x80\x99s\ninformation systems,             recommended specialized security training courses. However, our audit identified\nincluding the Office of Air      areas where OAR should place greater emphasis to comply with Federal and Agency\nand Radiation\xe2\x80\x99s (OAR\xe2\x80\x99s)          information security requirements. We found that CAMDBS, a major application,\nClean Air Markets Division       was operating without (1) an up-to-date risk assessment and (2) effective practices to\nBusiness System                  ensure that all production servers were monitored for known security vulnerabilities.\n(CAMDBS).                        OAR could have discovered the identified weaknesses had the office reviewed its\n                                 implemented practices for completing these requirements as well as those of the\nBackground                       National Computer Center (NCC), the group charged with primary responsibility for\n                                 monitoring the servers. As a result, CAMDBS officials lacked key security\nFISMA requires agencies to       management tools that could be used to proactively identify potential security\ndevelop policies and             weaknesses.\nprocedures commensurate\nwith the risk and magnitude       What We Recommend\nof harm resulting from the\nmalicious or unintentional       We recommend that the CAMDBS System Owner:\ndamage to the Agency\xe2\x80\x99s\ninformation assets.               \xc2\xbe\t Conduct a full formal risk assessment of CAMDBS in accordance with Federal\nCAMDBS is the data system            and Agency requirements.\nEPA uses to support the\nmarket-based emissions            \xc2\xbe\t Coordinate with the NCC to verify that it is regularly monitoring all CAMDBS\ntrading programs.                    production servers for known vulnerabilities at least monthly.\n\n                                  \xc2\xbe\t Develop a Plan of Action and Milestone in the Agency\xe2\x80\x99s information security\n\n                                     weakness tracking system for all noted deficiencies. \n\nFor further information,\ncontact our Office of            We recommend that the OAR Information Security Officer:\nCongressional and Public\nLiaison at (202) 566-2391.\n                                  \xc2\xbe\t Conduct a review of OAR\xe2\x80\x99s current information security oversight processes and\nTo view the full report,             implement identified process improvements.\nclick on the following link:\nwww.epa.gov/oig/reports/2006     OAR agreed with the findings in the draft report and indicated that the office has\n/20060504-2006-P-00024.pdf       moved forward aggressively to implement the recommendations. OAR\xe2\x80\x99s complete\n                                 response is in Appendix A.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                       OFFICE OF \n\n                                                                                  INSPECTOR GENERAL\n\n\n\n\n                                           May 4, 2006\n\nMEMORANDUM\n\nSUBJECT:              Information Security Series: Security Practices\n                      Clean Air Markets Division Business System\n                      Report No. 2006-P-00024\n\nTO:                   William Wehrum\n                      Assistant Administrator for Air and Radiation\n\n\nThis is our final audit report on the information security controls audit of the Office of Air and\nRadiation\xe2\x80\x99s Clean Air Markets Division Business System. This audit report contains findings\nthat describe problems the Office of Inspector General (OIG) has identified and corrective\nactions the OIG recommends. This audit report represents the opinion of the OIG, and the\nfindings in this audit report do not necessarily represent the final U.S. Environmental Protection\nAgency (EPA) position. EPA managers, in accordance with established EPA audit resolution\nprocedures, will make final determinations on matters in this audit report.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days of the date of this report. You should include a corrective action\nplan for agreed upon actions, including milestone dates. We have no objection to further release\nof this report to the public. For your convenience, this report will be available at\nhttp://www.epa.gov/oig.\n\nIf you or your staff has any questions regarding this report, please contact Rudolph M. Brevard,\nDirector, Information Technology Audits, at (202) 566-0893, or Charles Dade, Assignment\nManager, at (202) 566-2575.\n\n\n\n\n                                                     Bill A. Roderick\n                                                     Acting Inspector General\n\x0c                                       Table of Contents \n\nAt a Glance \n\n\nPurpose of Audit\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                                                                       1     \n\n\nBackground\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                                             1     \n\n\nScope and Methodology .....................................................................................................              2     \n\n\nCAMDBS\xe2\x80\x99 Compliance with Federal and Agency Security Requirements ....................                                                    3 \n\n\n     Certification and Accreditation \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. .............................................................                             4\n\n     System Monitoring for Known Vulnerabilities...................................................................                      4\n\n\nRecommendations...............................................................................................................           5     \n\n\nAgency Comments and OIG Evaluation ............................................................................                          5     \n\n\n\nAppendices\nA     Agency Response to Draft Report .............................................................................                      6     \n\n\nB     Distribution ...................................................................................................................   9\n\n\x0cPurpose of Audit\n          Our objective was to determine whether the Office of Air and Radiation\xe2\x80\x99s\n          (OAR\xe2\x80\x99s) Clean Air Markets Division Business System (CAMDBS) complied\n          with Federal and Agency information security requirements. CAMDBS is the\n          data system EPA uses to support the market-based emissions trading programs.\n\nBackground\n          We conducted this audit pursuant to Title III of the E-Government Act of 2002,\n          commonly referred to as the Federal Information Security Management Act\n          (FISMA). FISMA requires the Agency to develop policies and procedures\n          commensurate with the risk and magnitude of harm resulting from the malicious\n          or unintentional damage to the Agency\xe2\x80\x99s information assets. EPA\xe2\x80\x99s Chief\n          Information Officer is responsible for establishing and overseeing an Agency-\n          wide program to ensure the security of its network infrastructure is consistent with\n          these requirements. Program office heads are responsible for ensuring that the\n          security of each major application within their organization is managed in\n          accordance with all appropriate government-wide and EPA-specific information\n          technology policies, procedures, and standards.\n\n          Program offices should create a Plan of Action and Milestone (POA&M) when it\n          identifies a security control weakness. The POA&M, which documents the\n          planned remediation process, is recorded in the Agency\xe2\x80\x99s Automated Security\n          Self-Evaluation and Remediation Tracking (ASSERT) tool. ASSERT is used to\n          centrally track remediation of weaknesses associated with information systems\n          and serves as the Agency\xe2\x80\x99s official record for POA&M activity.\n\n          FISMA requires the Inspector General, along with the EPA Administrator, to\n          report annually to the Office of Management and Budget (OMB) on the status of\n          EPA\xe2\x80\x99s information security program. The OIG provided the results of its review\n          to OMB in Report No. 2006-S-00001, Federal Information Security Management\n          Act, Fiscal Year 2005 Status of EPA\xe2\x80\x99s Computer Security Program.\n\n          During our annual FISMA review, we selected one major application each from\n          five EPA program offices and reviewed the office\xe2\x80\x99s security practices surrounding\n          these applications. Our overall review noted instances where EPA could improve\n          its security practices and the OIG reported the results to EPA\xe2\x80\x99s Chief Information\n          Officer in Report No. 2006-P-00002, EPA Could Improve Its Information Security\n          by Strengthening Verification and Validation Processes.\n\n          This audit report is one in a series of reports being issued to the five program\n          offices that had an application reviewed. This report addresses findings and\n          recommendations related to security practice weaknesses identified in OAR. In\n          particular, this report summarizes our results regarding how OAR implements\n          Federal and EPA security policies and procedures. This report also includes our\n\n\n                                           1\n\n\x0c         evaluation of how OAR implemented, tested, and evaluated CAMDBS\xe2\x80\x99\n         information security controls to ensure continued compliance with selected\n         information security requirements. The Scope and Methodology section contains\n         the specific information security controls audited during this review.\n\nScope and Methodology\n         We conducted our field work from March 2005 to July 2005 at EPA Headquarters\n         in Washington, DC; and the National Computer Center (NCC), Research Triangle\n         Park (RTP), North Carolina. We interviewed Agency officials at both locations\n         and contract employees at the NCC. We reviewed relevant Federal and Agency\n         information security standards. We reviewed application security documentation\n         to determine whether it complied with selected standards. We reviewed system\n         configuration settings and conducted vulnerability testing of servers for known\n         vulnerabilities. We reviewed training records for personnel with significant\n         security responsibilities.\n\n         We reviewed the following security practices for CAMDBS:\n\n              \xe2\x80\xa2\t Security Certification and Accreditation (C&A) Practices -- We\n                 evaluated whether application security plans, risk assessments, and\n                 authorizations for operation complied with Federal and Agency\n                 standards. We also reviewed the C&A package to determine whether\n                 the security plan was updated and re-approved at least every 3 years and\n                 the application was reauthorized at least every 3 years, as required by\n                 OMB (Office of Management and Budget) Circular A-130 and EPA\n                 policy.\n\n              \xe2\x80\xa2\t Application Contingency Plans -- We reviewed whether the\n                 contingency planning practices complied with requirements outlined in\n                 EPA Directive 2195A1 (EPA Information Security Manual), National\n                 Institute of Standards and Technology Special Publication 800-34\n                 (Contingency Planning Guide for Information Technology Systems), and\n                 EPA Procedures Document (Procedures for Implementing Federal\n                 Information Technology Security Guidance and Best Practices).\n\n              \xe2\x80\xa2\t Security Controls -- We reviewed two areas of security controls: (1)\n                 system vulnerability monitoring, which included conducting\n                 vulnerability testing; and (2) physical controls. The NCC manages the\n                 servers that run CAMDBS and provides the primary security controls for\n                 the application. Therefore, when evaluating system vulnerability\n                 monitoring, we reviewed practices at the NCC. We did not test physical\n                 controls at the NCC, because the NCC was undergoing an audit of these\n                 controls at the time of our review and the audit found instances where\n                 EPA could improve its physical controls at RTP. The OIG reported the\n                 results of this audit in Report No. 2006-P-00005, EPA Could Improve\n\n\n                                         2\n\n\x0c                  Physical Access and Service Continuity/Contingency Controls for\n                  Financial and Mixed-Financial Systems Located at its Research\n                  Triangle Park Campus.\n\n              \xe2\x80\xa2\t Annual Training Requirements -- We reviewed whether employees\n                 with significant security responsibilities satisfied annual training\n                 requirements.\n\n         We conducted this audit in accordance with Government Auditing Standards,\n         issued by the Comptroller General of the United States.\n\nCAMDBS\xe2\x80\x99 Compliance with Federal and Agency Security\nRequirements\n\n         We found that (1) OAR had developed and tested a contingency plan for\n         CAMDBS and (2) personnel with significant security responsibility satisfied the\n         Agency\xe2\x80\x99s recommended specialized security training necessary to perform their\n         duties. However, we noted instances where OAR should place more emphasis to\n         comply with established Federal and Agency information security requirements.\n         In particular, our review noted:\n\n              \xe2\x80\xa2\t Although the CAMDBS system owner maintained a list of risks\n                 associated with the application, the system owner did not conduct a full\n                 formal risk assessment, which includes testing the controls as required\n                 by Federal and EPA requirements. Upon notification of our finding,\n                 OAR officials indicated that they entered POA&Ms in the Agency\xe2\x80\x99s\n                 security tracking database to track the completion of the risk assessment.\n\n              \xe2\x80\xa2\t One of the two CAMDBS production servers was not being monitored\n                 for known vulnerabilities. NCC personnel indicated that the server had\n                 been added to the routine vulnerability monitoring list and the Agency\n                 took immediate action to remediate the identified vulnerabilities.\n\n         Promptly conducting risk assessments and monitoring servers for security\n         vulnerabilities help to assist managers in ensuring the Agency\xe2\x80\x99s network\n         infrastructure is adequately protected. These widely recognized preventive\n         controls aid in identifying potential security weaknesses and assist security\n         personnel in taking the necessary remediation steps to prevent security incidents.\n         By not emphasizing these key security controls, CAMDBS officials lacked key\n         security management tools that could be used to proactively identify potential\n         security weaknesses.\n\n\n\n\n                                          3\n\n\x0cCertification and Accreditation\n\nOAR could improve procedures to ensure that key security tasks are completed.\nAlthough OAR maintained a Risk Inventory and Assessment Table in the current\nsecurity plan, OAR did not complete a full formal risk assessment to include\ntesting the controls to ensure the controls were effective and operated as intended;\n3 years had past since OAR last tested the controls. OAR officials indicated that\nthey would complete the risk assessment. OAR also indicated that they have\nentered tasks in ASSERT to identify and track the requirements of incorporating\nNational Institute of Standards and Technology Special Publication 800-53\nRecommended Security Controls for Federal Information Systems; update the\nsecurity plan; modify the C&A package; and obtain accreditation of CAMDBS by\nthe end of September 2006.\n\nThe information used by OAR officials to make the reauthorization decision is\ncontained in the CAMDBS C&A package, which includes documents such as the\nmost recent system security plan, authorization for operation, and risk assessment.\nThe assessment of risk is an important activity in the Agency\xe2\x80\x99s information\nsecurity program that directly supports security accreditation (management's\nauthorization to operate an information system). Maintaining an up-to-date C&A\npackage is essential because senior OAR officials use these documents to\ndetermine whether CAMDBS\xe2\x80\x99 current security controls are sufficient and whether\nadjustments to security controls are necessary before reauthorizing CAMDBS and\nits subsystems to operate.\n\nSystem Monitoring for Known Vulnerabilities\n\nOAR security control processes did not ensure that all CAMDBS production\nservers were monitored for known vulnerabilities. The NCC manages the servers\nthat run CAMDBS and provides the primary security controls for the application.\nInterviews with NCC personnel and vulnerability tests of the CAMDBS\nproduction servers revealed that one of the two CAMDBS production servers (1)\nwas not being routinely monitored and (2) contained known vulnerabilities. Upon\nbeing notified of these weaknesses, NCC personnel informed us that the\nunmonitored server would be added to the routine vulnerability scanning list and\nthe NCC took immediate action to remediate the identified vulnerabilities.\n\nRoutine monitoring of servers for vulnerabilities is widely recognized as a\npreventive control to assist security personnel in proactively identifying and\neliminating commonly known threats before they can be exploited. With a\nformalized process to ensure this function is being performed, management has\nmore assurance that OAR mission-critical information systems are adequately\nprotected against publicized computer attacks.\n\n\n\n\n                                 4\n\n\x0cRecommendations\n         We recommend that the Clean Air Markets Division Business System\n         (CAMDBS) System Owner:\n\n            1.\t Conduct a full formal risk assessment of CAMDBS in accordance with\n                Federal and Agency requirements.\n\n            2.\t Coordinate with the National Computer Center to verify that it is regularly\n                monitoring all CAMDBS production servers for known vulnerabilities at\n                least monthly.\n\n            3.\t Develop a Plan of Action and Milestones in the Agency\xe2\x80\x99s security\n                weakness tracking system (ASSERT database) for all noted deficiencies.\n\n         We recommend that the Office of Air and Radiation (OAR) Information Security\n         Officer:\n\n            4.\t Conduct a review of OAR\xe2\x80\x99s current information security oversight\n                processes and implement identified process improvements.\n\nAgency Comments and OIG Evaluation\n         OAR agreed with the findings in the draft report and indicated that the office has\n         moved forward aggressively to implement the recommendations. OAR\xe2\x80\x99s\n         complete response is in Appendix A.\n\n\n\n\n                                          5\n\n\x0c                                                                                   Appendix A\n\n                  Agency Response to Draft Report\n                                         April 24, 2006\n\n\nMEMORANDUM\n\nSUBJECT: \t    Final Response to the OIG Draft Report on the 2005 CAMDBS Audit\n\nFROM: \t       Elizabeth Craig /s/\n              Deputy Assistant Administrator\n\nTO: \t         Rudolph M. Brevard, Director\n              Information Technology Audits\n              Office of the Inspector General\n\n\nThank you for the opportunity to review the revised draft report of the FY 2005 FISMA Audit of\nOAR\xe2\x80\x99s Clean Air Markets Division Business System (CAMDBS).\n\nAttached is our response to the report and we agree with the findings and appreciate you bringing\nthem to our attention. As you know, many of the minor problems were quickly resolved and\nactivities are underway to address the remaining issues.\n\nWe look forward to seeing the final version, which should offer a balanced characterization of\nthe identified problems.\n\n\ncc: \tBrian McLean\n     Jerry Kurtzweg\n\n\n\n\n                                                6\n\n\x0c                                                                                April 20, 2006\n\n                   Comments of OAR/OAP/Clean Air Markets Division \n\n                      On the Findings and Recommendations in the \n\n                           Revised OIG Final Audit Report, \n\n                    \xe2\x80\x9cInformation Security Series: Security Practices, \n\n                     Clean Air Markets Division Business System, \xe2\x80\x9c \n\n                                    March 30, 2006\n\n\n\nWe have reviewed the revised Audit Report, \xe2\x80\x9cInformation Security Series: Security Practices,\nClean Air Markets Division Business System,\xe2\x80\x9d Assignment No. 2005-000661, dated March 30,\n2006. We concur with the findings and recommendations presented.\n\nFINDINGS\n\nFinding 1: CAMDBS is operating with an expired Risk Assessment.\n\nWe concur with this finding. The last full, formal, independent Risk Assessment for CAMDBS\nwas completed in February 2002. We do understand and agree that \xe2\x80\x9cThe assessment of risk is an\nimportant activity in the Agency\xe2\x80\x99s information security program [which] directly supports\nsecurity accreditation (management\xe2\x80\x99s authorization to operate an information system).\xe2\x80\x9d This is,\nwe believe, reflected by the fact that OAR has been performing annual risk assessments of\nCAMDBS through ASSERT. Nevertheless, a new full, formal, independent Risk Assessment\nshould have been completed, triggered by the requirements for triennial review or major changes\nto the system. (Although the CAMDBS application itself was not changed significantly, there\nwere changes in the underlying hardware when CAMDBS was moved from one data base server\nto another.)\n\nAs noted in the report, OAR did begin conducting a Risk Assessment in February 2005, and\nplans to complete the effort by the end of June 2006. This will result in certification and an\nupdated Security Plan by early September 2006, and reaccreditation by the end of September\n2006, when the current CAMDBS certification and accreditation would expire. (CAMDBS was\nlast certified and accredited in October 2003.)\n\nThe delay in completing the Risk Assessment begun in 2005 was in response to an April 4, 2005\nmemorandum from the Deputy CIO, Risk Based Decision to Temporarily Suspend the\nRequirement for Completion of Formal Risk Assessments to Support Security Plan Updates for\nCertain Systems: \xe2\x80\x9c[T]his temporary suspension is \xe2\x80\xa6 to allow for a reasonable, cost-effective\ntransition to Agency-wide implementation of the new security life cycle being promulgated by\nthe National Institute of Standards and Technology.\xe2\x80\x9d\n\nA Plan of Action and Milestones (POA&M) regarding the Risk Assessment was entered into\nASSERT and is being tracked.\n\n\n\n\n                                               7\n\n\x0cFinding 2: CAMDBS was operating without effective practices to ensure that all production\nservers were monitored for known security vulnerabilities.\n\nWe concur with this finding. We recognize that some technical vulnerabilities were identified in\nthe OIG-performed scans of these systems and that coordination between CAMDBS and NCC\nstaff needed improvement. Results of system scans have been shared with CAMDBS on an\n\xe2\x80\x9cexception\xe2\x80\x9d basis: problems requiring coordination were identified, but full results were not. We\nare working with NCC to develop a system of sharing system scan information that will meet\nboth our needs. Staff and managers responsible for the operation and security profile of the\nCAMDBS application are in regular and frequent (at a minimum, biweekly, and usually, at the\nstaff level, daily) contact with staff and managers at the NCC to discuss coordination and\ncollaboration on matters of common interest and potential interaction and issue resolution.\n\nFinding 3: OAR developed and tested a contingency plan for CAMDBS.\n\nWe concur with this finding. In fact, we believe that our efforts in this area are critically\nimportant and worthy of specific recognition.\n\nFinding 4: Personnel with significant security responsibility completed the Agency\nrecommended specialized security training\n\nWe concur with this finding.\n\nRECOMMENDATIONS\n\nWe concur with all of the recommendations. In fact, we have moved ahead aggressively to\nimplement these recommendations.\n\n\n\n\n                                                  8\n\n\x0c                                                                            Appendix B\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Air and Radiation\nActing Assistant Administrator for Environmental Information\nDirector, Technology and Information Security Staff\nAudit Followup Coordinator, Office of Air and Radiation\nAudit Followup Coordinator, Technology and Information Security Staff\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nActing Inspector General\n\n\n\n\n                                              9\n\n\x0c"